In our first article on policy-based network management and metadirectory technologies, we defined some terminology and introduced key concepts. Now that we've laid the groundwork, we can get down to the business of specifying the goals of this nascent technology and examine some of the hurdles that must be overcome in its implementation.
For an introduction to metadirectory technologies, check out Mark Kaelin’s first article in this series, "The future of network administration is here, and it’s called a metadirectory."
The promise of policy-based network management is to cut costs by optimizing network usage and automating the chores associated with day-to-day operations. The technology that implements the network policies of management is the directory. Directories, of course, are the main gatekeepers for giving employees, customers, and business partners access to enterprise networks, applications, intranets, and extranets.
The goal of directory-enabled networking is to establish a common management interface for all network resources in an enterprise. Prime candidates for the technology are white pages and yellow pages applications, e-commerce and security, e-mail and messaging, network and systems management, and policy-based networking. The data is represented as objects in a hierarchical tree and typically includes names, e-mail addresses, phone numbers, passwords, access rights, details on network devices, and applications.
|Microsoft’s Windows 2000 Active Directory provides the ability to track millions of objects, including users, resources, and accounts, via a single console.|
The theory behind the metadirectory is that consolidating multiple directories within an enterprise will lower costs, increase directory interoperability, and reduce administration time. The metadirectory links the individual directories within an organization via the “join,” which is software that integrates heterogeneous data from multiple repositories to provide a common view of all resources. A network manager should, with proper directory synchronization and multiple-namespace support, be able to make changes in one directory and have them automatically update all directories in the organization.
The initial best use for metadirectory technology may be in electronic commerce. Metadirectory functions will allow a company to publish an always-current subset of its enterprise directory to an extranet. In addition, companies can use the technology to integrate internal customer directories in an environment where different business units conduct business with the same customers, creating a single point of management and access for customer information. By providing the repository for maintaining customer identity and policy, and the means to integrate information across the extranet, directory services will play an increasingly important role in e-business, point-to-point relationships, and architectures.
A directory capable of fully supporting an array of enterprise applications must possess characteristics such as advanced naming and location functions, sophisticated administration and management mechanisms, and substantial security features. A hierarchical namespace is necessary in this context because it enables the property of inheritance, which means that a change to an entry is automatically propagated to subordinate entries in the directory system.
Establishing a directory infrastructure in an organization requires not only choosing a standard technology but also the consideration of numerous political mechanisms within that organization. Management must be persuaded that such a project has enough merit to justify the substantial cost and each department must buy into an effort that appears to lessen their power over their own data.
The proliferation of legacy directories increases the complexity of these systems and hinders their implementation. Directory management systems require that companies retrofit legacy data into a directory infrastructure. Unfortunately, the standards for accomplishing this retrofit are yet to be ironed out.
Another potential problem with the directory management system is multimaster replication, which is endorsed by Microsoft and Novell Directory Services (NDS). While the feature is good for administration and access, it can also create issues regarding data integrity. In a multimaster system, a number of directory replicas are available throughout a network. The system provides fault tolerance, reduces wide-area traffic, and improves performance by keeping information close to those who need it.
However, because the data can be updated and stored in multiple places, problems with data integrity can arise when two or more administrators make changes to the same information within a replication cycle. Microsoft and Novell attack this problem in different ways. Microsoft’s Active Directory uses an Update Sequence Number system, which assigns a number to each update. Novell uses a time-stamp to distinguish directory changes.
Some of the early examples of directory-enabled network administration demonstrate why such systems are needed. Instead of relying on standards or vendor-specific product integration, the University of Clemson decided to develop its own system for instituting single-user identification numbers and passwords for all servers and applications. Students can now access both the e-mail system and the class registration servers with the same username and password. Brigham Young University has implemented a similar system for their students and staff.
Using a prerelease version of Windows 2000 and its Active Directory component has allowed Compaq Computer Corp. to combine all of its resources, including thousands of machines and 85,000 employees, as objects in a single directory. Active Directory gives Compaq a centralized repository for information and facilitates access to that information, as well as the enforcement of company-wide standards. Because the user company’s resources must be organized hierarchically in Active Directory, preparation is particularly critical and time-consuming. The software not only makes it possible to centralize resource administration for an entire company, but it also allows delegation of administrative privileges to lower levels.
Tom Nolle, president of CIMI Corporation, a technology assessment and consulting company, believes that organizations should ask themselves several questions before implementing a directory-enabled network solution:
- Do you have relatively frequent instances in which problems such as congestion impair the performance of your most important applications?
- Do you have persistent problems maintaining multiple databases that describe your users, applications, and the network?
- Is your network based on a well-planned, cohesive, switched-LAN architecture?
Nolle advises that if you answer “no” to two of these questions, there is a good possibility that implementing directory-enabled networking will cause more trouble than it is worth.
As you can see, the implementation of a directory-enabled network management system with policy-based administration and metadirectories is not a simple undertaking. The bottom-line question to consider is whether the benefits of such an organizational system outweigh the initial costs and the potential for problems in implementation.
The final part of this series will discuss the major players in this budding technology, including Microsoft, Cisco, Novell, IBM, and Oracle. We'll also discuss the battle over standards. Whatever so-called standard prevails will determine the direction of this technology for years to come.
A business consultant, Mark Kaelin also writes for TechRepublic and Louisville Computer News. For a diversion, he spends time on the softball field or the golf course and listens to rock 'n' roll.If you'd like to share your opinion, please post a comment below or send the editor an e-mail.
Mark W. Kaelin has been writing and editing stories about the IT industry, gadgets, finance, accounting, and tech-life for more than 25 years. Most recently, he has been a regular contributor to BreakingModern.com, aNewDomain.net, and TechRepublic.